search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

zzykxx - Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses #65

Open sherlock-admin4 opened 2 months ago

sherlock-admin4 commented 2 months ago

zzykxx

medium

Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses

Summary

Users can redeem their PT/YT tokens before a price decrease of a supported LST/LRT token in order to avoid losses.

Vulnerability Detail

Napier allows users to redeem their PT/YT tokens for ETH via BaseLSTAdapter::prefundedRedeem() instantly if the amount to be withdrawn is lower or equal than the available ETH buffer. The in-scope adapters that allow this are:

A Napier user that staked in one of these adapters can:

  1. Monitor the mempool and the beacon chain to know in advance if either the eETH or uniETH tokens will lose value.
  2. Frontrun the value loss by redeeming their PT and YTtokens via Tranche::redeemWithYT(), which will call BaseLSTAdapter::prefundedRedeem(), in exchange for ETH.

Because the value drop is still not reflected in the Napier protocol the staker will be able to withdraw his funds without being affected by the losses.

In the case of eETH, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls to rebase() in the EtherFi LiquidityPool contract.

In the case of uniEth an attacker can know if the token will lose value by monitoring the protocol validators for penalties and slashing events. Bedrock (uniEth) is built on top of Eigenlayer, which can be notified of balance drops due to penalties or slashings via two permissionless functions: EigenPod::verifyBalanceUpdates() and EigenPod::verifyAndProcessWithdrawals(). This allows an attacker to perform the following series of calls atomically to avoid losses:

  1. Monitor the Bedrock validators on the beacon chain for penalties and slashings.
  2. Call Tranche::redeemWithYT() to redeem PT/YT in exchange of ETH.
  3. Call EigenPod::verifyBalanceUpdates()/EigenPod::verifyAndProcessWithdrawals() to notify Eigenlayer of the balance drop.
  4. The value of uniETH will instantly drop.
  5. Deposit the previously withdrawn ETH for more YT/PT tokens than the initial amount.

Another instance that instantly lowers the value held by the UniEthAdapter adapter is the call to UniETHAdapter::swapUniETHForETH() because a 0.05% fee is paid to UniswapV3, this can also be front run by stakers to avoid bearing the losses of the fee.

Impact

Stakers can avoid losses, which implies honest stakers will lose more than they should.

Code Snippet

Tool used

Manual Review

Recommendation

Introduce a withdraw queue, this will prevent this kind of frontrunning attacks.

massun-onibakuchi commented 2 months ago

It is known behavior seen in many LST/LRT integrations like DEX